I am not normally in favor of legislation, but I'd be okay with a fine for US-based companies that leak and expose this kind of data. Specifically a harsher fine for cleartext or anything less than bcrypt.